Abstract: In one embodiment, a service function forwarder (SFF) analyzes pre-service state and post-service state of an original packet to determine whether to initiate and perform service offload or service bypass. A service function forwarder (SFF) receives a particular packet having a service function chain (SFC) encapsulation of the original packet, the SFC encapsulation identifying a particular service function path (SFP) designating a particular service function (SF). The SFF extracts pre-service state of the original packet, typically adding it to the particular packet in an In-Situ Operations, Administration, and Maintenance (IOAM) data field (or alternatively storing locally) before sending the particular packet to the particular SF. The SFF receives the particular packet after the SF applies the particular network service.

Abstract: In one embodiment, nodes use in-band operations data (e.g., carried in iOAM data field(s)) to signal departures in the processing of a packet in a network. A “departure” refers to a divergence or deviation, as from an established rule, plan, or procedure. Departures include, but are not limited to, sending a packet over a backup path (thus, a departure/deviation from sending over a primary path); offload processing of a packet (thus, a departure/deviation from processing of a packet by an application processing apparatus); and exception or punting/slow/software path processing of a packet (thus, a departure/deviation from normal or fast/hardware path processing of a packet). In one embodiment, a proof of transit validation apparatus uses departure information to select among multiple possible verification secrets, with the selected verification secret used in validation processing with a cumulative secret value obtained from the packet.

Abstract: A reactive mechanism for in-situ operation, administration, and maintenance (IOAM) traffic is provided. In one embodiment, a method is provided that includes assigning a plurality of discriminator identifiers associated with a plurality of discriminators. Each discriminator is mapped to a specified action. The method includes receiving a data packet that includes an IOAM header comprising telemetry data associated with the data packet and a bidirectional forwarding detection (BFD) field that includes a specified discriminator identifier.

Abstract: A method provided that is performed at one or more intermediate nodes in a path in a network. The node receives a packet having a header that includes metadata that has been accumulated as the packet travels along the path in the network. The node detects whether a trigger condition has occurred. In response to detecting that the trigger condition has occurred, the node exports, to a destination entity, at least a portion of the metadata that has been accumulated in the header so that the portion of the metadata is removed from the header after it has been exported.

Abstract: In one embodiment, a service configured to execute on trusted participant devices authenticates network service devices each having identifying information and one or more offered services, and creates an entry into a secure digital ledger for each authenticated network service device and associated offered services, each entry based on the identifying information and the one or more offered services for a corresponding network service device. Upon receiving an advertisement for an advertised service from an advertising device attached to a given trusted participant device, the service then requests and may receive an authentic ledger entry from the secure digital ledger for the advertised service.

Abstract: A method is provided that is performed by a network element in a network. The network element receives a packet. The network element inserts into a header of the packet, packet replication information indicating whether and to which egress interface the network element performs a replication operation on the packet, wherein the header is an In-Situ Operations, Administration and Management (IOAM) header. The network element sends the packet, with the packet replication information included in the IOAM header, in the network.

Abstract: In one embodiment, expected path information is obtained that describes one or more possible paths to be taken by network traffic between an ingress node and an egress node in a network that includes a plurality of nodes each configured to populate an In-Situ Operations, Administration and Management (IOAM) header of packets with node identifier information indicating node transit of packets through the network. A packet is sent into the network, the packet including routing instructions for the packet to travel through the network. A plurality of node identifiers accumulated as the packet travels through the network are obtained from the IOAM header of the packet. The plurality of node identifiers represent actual path information for the actual path traveled by the packet. The path taken by the packet is validated based on a comparison of the actual path information with the expected path information.

Abstract: A reactive mechanism for in-situ operation, administration, and maintenance (IOAM) traffic is provided. In one embodiment, a method is provided that includes assigning a plurality of discriminator identifiers associated with a plurality of discriminators. Each discriminator is mapped to a specified action. The method includes receiving a data packet that includes an IOAM header comprising telemetry data associated with the data packet and a bidirectional forwarding detection (BFD) field that includes a specified discriminator identifier.

Abstract: Presented herein are techniques for monitoring packets in a container networking environment. A method includes receiving a packet at a network node, the packet having been routed to the network node in accordance with instructions from a container orchestration system, inserting an additional field in the packet that is configured to record a path of the packet within a first POD of the host device that includes at least one container, forwarding the packet to the first POD of the host device in accordance with the instructions from the container orchestration system, updating the additional field with container networking path information as the packet transits the first POD and the at least one container therein, storing the container path information in an analytics node of the network node, removing the additional field from the packet, and transmitting the packet from the network node to the network.

Abstract: An example method is provided in one example embodiment and may include configuring a measurement indication for a packet; forwarding the packet through a service chain comprising one or more service functions; recording measurement information for the packet as it is forwarded through the service chain; and managing capacity for the service chain based, at least in part, on the measurement information. In some cases, the method can include determining end-to-end measurement information for the service chain using the recorded measurement information. In some cases, managing capacity for the service chain can further include identifying a particular service function as a bottleneck service function for the service chain; and increasing capacity for the bottleneck service. In various instances, increasing capacity for the bottleneck service can include at least one of: instantiating additional instances of the bottleneck service; and instantiating additional instances of the service chain.

Abstract: A method provided that is performed at one or more intermediate nodes in a path in a network. The node receives a packet having a header that includes metadata that has been accumulated as the packet travels along the path in the network. The node detects whether a trigger condition has occurred. In response to detecting that the trigger condition has occurred, the node exports, to a destination entity, at least a portion of the metadata that has been accumulated in the header so that the portion of the metadata is removed from the header after it has been exported.

Abstract: In one embodiment, a method comprises generating, by a network device in a network, a Bloom filter bit vector representing services provided by service provider devices in the network; and the network device executing a service discovery operation based on identifying, relative to the Bloom filter bit vector, whether an identified service in a received message is executed in the network.

Abstract: A system and methods are provided for verifying proof of transit of network traffic through a plurality of network nodes in a network. Information is obtained about a packet at a network node in a network. The information may include in-band metadata of the packet. Verification information is read from in-band metadata of the packet. Updated verification information is generated from the verification information read from the packet and based on configuration information associated with the network node. The updated verification information is written back to the in-band metadata in the packet. The packet is forwarded from the network node in the network.

Abstract: In one embodiment, a sleep proxy device identifies one or more services offered by a first node in the network. The sleep proxy device announces the one or more identified services to a second node in the network on behalf of the first node. The sleep proxy device intercepts an attempt by the second node to use the one or more services offered by the first node. The sleep proxy device causes the first node to switch from a low power state to an awake state, based on the intercepted attempt.

Abstract: A system and methods are provided herein for verifying proof of transit of traffic through a plurality of network nodes in a network. In one embodiment, a method is provided in which information is obtained about a packet at a network node in a network. The information includes in-band metadata. Verification information is read from the in-band metadata. The verification information for use in verifying a path of the packet in the network. Updated verification information is generated from the verification information read from the packet. The updated verification information is written to the in-band metadata of the packet, and the packet is forwarded from the network node in the network.

Abstract: A system and methods are provided for verifying proof of transit of network traffic through a plurality of network nodes in a network. In one embodiment, each network node reads a first value and a second value from in-band metadata of packet, and generates, using a cryptographic key that is unique to each respective network node, an encryption result based on the first value. An updated second value is generated based on the second value read from the packet and the encryption result. Each network node writes the updated second value to the in-band metadata of the packet, and forwards the packet in the network. In another embodiment, a secret sharing scheme is employed by each network node computes a portion of verification information using a unique share of a secret and based on the packet specific information.

Abstract: In one embodiment, a sleep proxy device identifies one or more services offered by a first node in the network. The sleep proxy device announces the one or more identified services to a second node in the network on behalf of the first node. The sleep proxy device intercepts an attempt by the second node to use the one or more services offered by the first node. The sleep proxy device causes the first node to switch from a low power state to an awake state, based on the intercepted attempt.

Abstract: Embodiments of the disclosure pertain to activating in-band OAM based on a triggering event. Aspects of the embodiments are directed to receiving a first notification indicating a problem in a network; triggering a data-collection feature on one or more nodes in the network for subsequent packets that traverse the one or more nodes; evaluating a subsequent packet that includes data augmented by the data collection feature; and determining the problem in the network based on the data augmented to the subsequent packet.

Abstract: Embodiments of the disclosure pertain to activating in-band OAM based on a triggering event. Aspects of the embodiments are directed to receiving a first notification indicating a problem in a network; triggering a data-collection feature on one or more nodes in the network for subsequent packets that traverse the one or more nodes; evaluating a subsequent packet that includes data augmented by the data collection feature; and determining the problem in the network based on the data augmented to the subsequent packet.

Abstract: In one embodiment, a lower protocol layer in a network device filters packets based on a class and a particular of a destination address prior to sending information from the received packet to a higher protocol layer. For example, certain constrained networks include network nodes that do not have the ability to maintain a multicast distribution entry for each multicast address used in the network. By only forwarding on a portion of a multicast address, packets are often delivered to nodes in addition to the actual multicast subscribers. By filtering these incorrectly delivered packets at a lower protocol layer (e.g., layer-2 or layer-3), processing cycles at higher protocol layers are avoided. Additionally in one embodiment, class and particulars are deterministically determined (e.g., using a same hashing function) such that services can be discovered and used by subscribing to a corresponding multicast group.